On 20 Oct 21:01, Uwe Werler wrote: > Hi folks, > > before opening a bug report I'll ask here because I want to make sure that I > have not missed something. > > With the upgrade to 6.8 my cert validation seems to be broken because the > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > certs to /etc/ssl/cert.pem works. > > Did I miss something? I guess something changed during k2k20 in "certificate > chain validation in libcrypto"? > > Thanks and with kind regards. > > Uwe >
Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my openldap proxies were screwed too. I configured explicitely olcTLSCACertificatePath: /etc/ssl/certs But that broke so I had to change to: olcTLSCACertificateFile: /etc/ssl/cert.pem ... and I had to change also /etc/openldap/ldap.conf from: TLS_CACERTDIR /etc/ssl/certs to TLS_CACERT /etc/ssl/cert.pem to keep syncrepl running. -- wq: ~uw
